Security in question with use of crypto-browserify ?

[iDVB]

Snyk.io is cautioning against the usage of crypto-browserify https://snyk.io/test/npm/amazon-cognito-identity-js/1.31.0?severity=high&severity=medium&severity=low which is used in the older version of aws-sdk that this currently uses.

Simply upgrading aws-sdk removes this concern.

[rianwouters]

See also #672

[itrestian]

Yes, the issue with crypto-browserify is that on older browsers such as Opera Mini, Math.random is used for generating random numbers.

We had for a while the following info related to this in the README: "In order to authenticate with the Amazon Cognito Identity Service, the client needs to generate a random number as part of the SRP protocol. The AWS SDK is only compatible with modern browsers, and these include support for cryptographically strong random values. If you do need to support older browsers then you should be aware that this is less secure, and if possible include a strong polyfill for window.crypto.getRandomValues() before including this library."

Yes, the main aws sdk removed the function in version v2.178.0 and we pinned to v2.177.0.

Overall, we are in the process of migrating this repo to the aws-amplify repo where this issue is fixed (functionality stays the same).

https://github.com/aws/aws-amplify/tree/master/packages

[itrestian]

This has been solved in the new version 2.0.0 located on NPM and we will continue development of this library as part of AWS Amplfiy https://github.com/aws/aws-amplify/tree/master/packages/amazon-cognito-identity-js